CN104766011A - Sandbox detection alarming method and system based on main engine characteristic - Google Patents
Sandbox detection alarming method and system based on main engine characteristic Download PDFInfo
- Publication number
- CN104766011A CN104766011A CN201510134971.XA CN201510134971A CN104766011A CN 104766011 A CN104766011 A CN 104766011A CN 201510134971 A CN201510134971 A CN 201510134971A CN 104766011 A CN104766011 A CN 104766011A
- Authority
- CN
- China
- Prior art keywords
- detected
- unknown program
- alarm
- program
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 129
- 238000001514 detection method Methods 0.000 title claims abstract description 97
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 65
- 238000012544 monitoring process Methods 0.000 claims abstract description 13
- 230000008569 process Effects 0.000 claims description 83
- 230000006399 behavior Effects 0.000 claims description 25
- 230000003542 behavioural effect Effects 0.000 claims description 11
- 230000009471 action Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 8
- 238000005070 sampling Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 5
- 238000012512 characterization method Methods 0.000 claims description 4
- 230000008570 general process Effects 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 4
- 230000002547 anomalous effect Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 230000001235 sensitizing effect Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 10
- 230000006872 improvement Effects 0.000 description 8
- 230000006378 damage Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Abstract
The invention provides a sandbox detection alarming method and a sandbox detection alarming system based on main engine characteristic. The method is characterized by comprising following steps: inserting a virtual machine monitor between a user operating system and a computer hardware system, the virtual machine monitor offers a virtual hardware platform completely simulating the computer hardware system for the virtual machine, and the user operating system runs on the virtual hardware platform; tracking and detecting the main engine characteristic of the virtual system when unknown program to be detected runs on the virtual machine; recognizing the alarm level according to the tracking detection result of the main engine characteristic of the virtual system, generating alarm information being corresponding to the alarm level, and recording the unknown program to be detected in a log information mode. The sandbox detection alarming method and the sandbox detection alarming system based on main engine characteristic performs the unknown program to be detected in the virtual machine monitoring environment for finding rogue program and monitoring the entire attack life cycle of the rogue program.
Description
Technical field
The present invention relates to rogue program detection technique and network safety filed, particularly a kind of sandbox of Intrusion Detection based on host feature detects alarm method and system.
Background technology
Information and Internet technology change people and obtain knowledge, carry out the mode linked up, enterprise also utilizes these new technology significantly to improve staff efficiency, promote operation ability, and create the new market opportunity, but these technology too increase the risk that tissue is attacked, thus needing constantly progressive rogue program detection means to deal with, these are potential, or occurent threat.Such as: State Grid Corporation of China is as the important leading enterprise of relation national energy security and lifelines of the national economy, carry as socio-economic development provides basic mission that is safe, sustainable electric power supply, but be also faced with a Cyberthreat environment constantly developed simultaneously, more need the detection system effectively threatening depth recognition.
In order to contain unknown threat attacking system; protection user data is stolen from lawless person; maximum reduction, owing to threatening the loss of invading and bringing, needs reliable detection means to identify unknown threat, the unknown behavior such as diffusion, attack threatened of containment timely and effectively.Find existing file retrieval, the current unknown rogue program of two classes that mainly contains detects alarm method.
Chinese Patent Application No. 201110226659, name is called " detection method of malicious code, system and relevant apparatus " by the virtual machine monitor of host, monitor the read-write requests that this host produces during executive routine code in virtual machine, the condition execution instruction that when being sent to virtual machine monitor, escape generates, obtain the execution feature of program code, the execution feature of the execution feature of acquisition with the known malicious code prestored is compared, determines whether malicious code.
In the scheme that this patent provides, supervision method detects the read-write requests of host when run time version, monitors that means are single, be difficult to detect more complicated virus attack.And along with the fast development of attack technology, assailant can adopt multiple anti-Detection Evasion technology, realize the malicious act analysis walking around sandbox, thus the detection method that this patent is proposed is difficult to play effectiveness.
Chinese Patent Application No. 201210376077, name is called " method detect file behavioural characteristic and device ", method first determines the classification belonging to file to be detected, again file to be detected is put in sandbox corresponding to this classification and run, collect the behavior produced in operational process, the behavioural characteristic meant no harm in behavioural characteristic storehouse corresponding with this classification for behavior compared, if there is the behavior outside the behavioural characteristic storehouse that means no harm, then this file to be detected is malicious file.
Although the scheme that this patent provides also can detect some known malicious acts, but according to the method for comparison of tabling look-up, not only can consume a lot of internal memory, computational resource, cause efficiency not high, and for the attack do not occurred, the method cannot judge, causes new threat may be larger to the destruction dynamics of system, the loss that brings.
Summary of the invention
The object of the present invention is to provide a kind of sandbox of Intrusion Detection based on host feature to detect alarm method and system, for solve in prior art cannot effectively detection of malicious program and when detection of malicious program the problem of existing defects.
For solving the problems of the technologies described above, the sandbox that the invention provides a kind of Intrusion Detection based on host feature detects alarm method, the application of the method is based on computer hardware system and virtual machine, can run user operating system in described computer hardware system, described virtual machine provides a virtual system for unknown program to be detected, described unknown program to be detected runs on described virtual machine, and wherein, the sandbox of described Intrusion Detection based on host feature detects alarm method and at least comprises:
A virtual machine monitor is inserted between described operating system of user and computer hardware system, wherein, described virtual machine monitor provides a virtual hardware platform of simulating described computer hardware system completely for described virtual machine, and described operating system of user runs on described virtual hardware platform;
When described unknown program to be detected runs on described virtual machine, tracing detection is carried out to the host-feature of described virtual system;
According to the tracing detection result of the host-feature of described virtual system, identify alarm level, produce the warning information corresponding to described alarm level, and in the mode of log information, record is carried out to described unknown program to be detected.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, and the host-feature of described virtual system mainly comprises instruction features and behavioural characteristic;
The tracing detection of described instruction features is mainly comprised the ANOMALOUS VARIATIONS of memory headroom when the code implementation status in heap, stack and instruction operation is detected, utilize behavior to judge whether to start a leak;
Mainly comprise process, file, registration table to the tracing detection of the behavioural characteristic of described virtual system, network connects and the details of service detect, and the threat situation of described unknown program to be detected is judged according to testing result, analyze the function of described unknown program to be detected.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, to the details of described process detect mainly comprise detect whether described unknown program to be detected creates process, stops other processes, the write of striding course internal memory, create remote thread, inject global hook, load-on module, load driver program and amendment memory attribute;
The details of described file are detected mainly to comprise to detect whether described unknown program to be detected creates, deletes, the file revised in system directory or responsive catalogue;
To the details of described registration table detect mainly comprise detect described unknown program to be detected whether create, revise, delete registration table;
The details connected described network detect mainly to comprise and detect described unknown program to be detected and whether comprise C & C domain name, whether initiatively open listening port wait control end connection Long-distance Control wooden horse in this locality, and whether there is the connection with C & C address in Sampling network connection, whether the data content of Sampling network transmission exists the Content of communciation with C & C;
Detect mainly to comprise to the details of described service and snapshot is carried out to system service original in sandbox and application service, the startup of serving in virtual machine monitor described in comprehensive descision, stopping, increase action.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, and the concrete grammar detected the details of described process is as follows:
When described unknown program to be detected creates a new process, allow it to create, do not produce alarm;
When described unknown program to be detected opens process, allow it to open any process, and monitoring return and open result, does not produce alarm;
When described unknown program to be detected reads process data, for general process, allow it to read, only monitor its data, do not produce alarm; For strict shielded process, allow it to read, produce alarm;
When described unknown program write process data to be detected, if target process is the process that it creates, allows its write data, only monitor its data, do not produce alarm; Otherwise, produce alarm;
When described unknown program to be detected terminates process, if the process that is moved to end is process that himself or its create, only monitors its data, do not produce alarm; Otherwise, produce alarm.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, and the concrete grammar that the details connected described network detect is as follows:
When described unknown program interconnection network to be detected, allow it to connect, and record the remote ip address of connection;
When described unknown program to be detected connects C & C server, record network characterization, further discovery, Tracking Botnets, and produce alarm;
When described unknown program transmission to be detected, reception data, record data content, and determine whether the Content of communciation of C & C, if so, then produce alarm;
Initiatively open listening port at described unknown program to be detected in this locality, wait for that control end connects, record network monitoring details, and produce alarm.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, according to the tracing detection result of the host-feature of described virtual system, identify alarm level, produce the warning information corresponding to described alarm level, and in the mode of log information, record is carried out to described unknown program to be detected, concrete grammar is:
Pre-set the different stage alarm conditions that rogue program can trigger, and the different warning information corresponding from different stage alarm conditions, and divide the threat level of each warning information;
According to the tracing detection result of the host-feature of described virtual system, determine the alarm conditions rank that described unknown program to be detected triggers;
The weight of different behavior is obtained according to the alarm conditions rank of described unknown program triggering to be detected;
Summation is weighted to all behaviors of described unknown program to be detected, corresponding warning information is produced according to the result of weighted sum, the threat level that described unknown program to be detected is corresponding is judged according to described warning information, and confirm the malicious of described unknown program to be detected with this, carry out record in the mode of log information.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, and when dividing the threat level of each warning information, by hierarchically for warning information dividing into high-level threat, middle rank threatens, low level threatens, doubtful threat and without threat.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, process weight a, file weight b, registration table/serve common weight c, network connection weight d, wherein a+b+c+d=1 is mainly comprised according to the different behavior weights that the alarm conditions rank of described unknown program triggering to be detected obtains; Wherein, when being weighted summation to all behaviors of described unknown program to be detected, according to the weighted sum that sequence carries out process item by item, file, registration table/service and network connect behavior.
Sandbox as Intrusion Detection based on host feature of the present invention detects the improvement of alarm method, when arranging the different stage alarm conditions that rogue program can trigger, the highest level alarm conditions that can trigger for the rogue program set by file, registration table, service, network and process are as follows respectively:
Network highest level alarm conditions: find described unknown program to be detected and known C & C network type communication;
Registration table highest level alarm conditions: described unknown program to be detected reads, registry file occurs when opening file changes, or revises registration table sensitizing range when running described unknown program to be detected;
File highest level alarm conditions: described unknown program to be detected reads, change system directory or responsive catalogue file when opening file or run described unknown program to be detected;
Process highest level alarm conditions: described unknown program to be detected reads, have modified original process when opening file or run described unknown program to be detected;
Service highest level alarm conditions: described unknown program to be detected reads, add service when opening file, or when running described unknown program to be detected, occurred knownly there is the Service name threatened.
The present invention also provides a kind of sandbox of Intrusion Detection based on host feature to detect warning system, comprise computer hardware system and virtual machine, can run user operating system in described computer hardware system, described virtual machine provides a virtual system for unknown program to be detected, described unknown program to be detected runs on described virtual machine, wherein, the sandbox detection warning system of described Intrusion Detection based on host feature at least comprises:
Basis sandbox module, for inserting a virtual machine monitor between described operating system of user and computer hardware system, wherein, described virtual machine monitor provides a virtual hardware platform of simulating described computer hardware system completely for described virtual machine, and described operating system of user runs on described virtual hardware platform;
Host-feature analysis module, for when described unknown program to be detected runs on described virtual machine, carries out tracing detection to the host-feature of described virtual system;
Alarm module, for the tracing detection result of the host-feature according to described virtual system, identifies alarm level, produces the warning information corresponding to described alarm level, and carry out record to described unknown program to be detected in the mode of log information.
The sandbox of Intrusion Detection based on host characteristic of the present invention detects alarm method and system, relative to prior art, has following beneficial effect and advantage:
The sandbox of Intrusion Detection based on host characteristic of the present invention detects alarm method, by running unknown program to be detected in monitor of virtual machine environment, thus finds rogue program, and monitors the whole attack life cycle of rogue program.
The sandbox of Intrusion Detection based on host characteristic of the present invention detects alarm method, can monitor and detect the rogue program behavior in vulnerability exploit stage, avoids and only detects failing to report of the movable and generation of later stage.
The sandbox of Intrusion Detection based on host characteristic of the present invention detects warning system, and in the process detecting unknown program, make the activity of rogue program based on one highly close to the virtual platform of real user environment, therefore rate of false alarm is extremely low.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of the sandbox detection alarm method of the Intrusion Detection based on host characteristic of first embodiment of the invention.
Fig. 2 is the structural representation of the sandbox detection warning system of the Intrusion Detection based on host characteristic of second embodiment of the invention.
Fig. 3 is the operation schematic diagram of unknown sequence to be detected in the sandbox detection warning system of the Intrusion Detection based on host characteristic of second embodiment of the invention.
Fig. 4 is that the sandbox of the Intrusion Detection based on host characteristic of second embodiment of the invention detects the idiographic flow schematic diagram of alarm method in actual application.
Element numbers explanation
S1-S3 step
1 basic sandbox module
2 host-feature analysis modules
3 alarm modules
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, the embodiments of the present invention are explained in detail.But, persons of ordinary skill in the art may appreciate that in each embodiment of the present invention, proposing many ins and outs to make reader understand the application better.But, even without these ins and outs and the variations and modifications based on following embodiment, the every claim of the application technical scheme required for protection also can be realized.
The sandbox that first embodiment of the present invention relates to a kind of Intrusion Detection based on host characteristic detects alarm method, as shown in Figure 1, the application of present embodiment is based on computer hardware system and virtual machine, can run user operating system in computer hardware system, virtual machine provides a virtual system for unknown program to be detected, and unknown program to be detected runs on virtual machine.Wherein, the sandbox detection alarm method of the Intrusion Detection based on host feature of present embodiment at least comprises:
Step S1, a virtual machine monitor is inserted between operating system of user and computer hardware system, wherein, virtual machine monitor provides the virtual hardware platform of a complete analog computer hardware system for virtual machine, and operating system of user runs on virtual hardware platform.
Step S2, when unknown program to be detected runs on virtual machine, carries out tracing detection to the host-feature of virtual system;
Step S3, according to the tracing detection result of the host-feature of virtual system, identifies alarm level, produces the warning information corresponding to alarm level, and carry out record to unknown program to be detected in the mode of log information.
In step sl, mainly carry out host-feature analysis, namely under instruction-level code analysis, the instruction features of virtual system and behavioural characteristic in tracing detection unknown program implementation to be detected.That is, the host-feature of virtual system mainly comprises instruction features and behavioural characteristic.The tracing detection of instruction features is mainly comprised the ANOMALOUS VARIATIONS of memory headroom when the code implementation status in heap, stack and instruction operation is detected, utilize behavior (such as various floodings etc.) to judge whether to start a leak.Mainly comprise process, file, registration table to the tracing detection of the behavioural characteristic of virtual system, network connects and the details of service detect, and the threat situation of unknown program to be detected is judged according to testing result, analyze the function (such as when unknown program to be detected is rogue program, the concrete attack had) of unknown program to be detected.
To process details detect mainly comprise detect whether unknown program to be detected creates process, stops other processes, the write of striding course internal memory, create remote thread, inject global hook, load-on module, load driver program and amendment memory attribute.Once find unknown program to be detected create process, stop other processes, striding course internal memory write, create remote thread, injection global hook, load-on module, load driver program or amendment memory attribute, then carry out Malicious Code Detection, for finally judging that threat situation provides detection foundation.
In addition, the concrete grammar detected process details is as follows: when unknown program to be detected creates a new process, allow it to create, do not produce alarm; When unknown program to be detected opens process, allow it to open any process, and monitoring return and open result, does not produce alarm; When unknown program to be detected reads process data, for general process, allow it to read, only monitor its data, do not produce alarm; For strict shielded process, allow it to read, produce alarm; When unknown program write process data to be detected, if target process is the process that it creates, allows its write data, only monitor its data, do not produce alarm; Otherwise, produce alarm; When unknown program to be detected terminates process, if the process that is moved to end is process that himself or its create, only monitors its data, do not produce alarm; Otherwise, produce alarm.
The details of file are detected mainly to comprise to detect whether unknown program to be detected creates, deletes, the file revised in system directory or responsive catalogue.Once find that the file in system directory or responsive catalogue (such as " Program Fi les " catalogue etc.) creates, deletes or revise action, then enter Malicious Code Detection, for finally judging that threat situation provides detection foundation.
To the details of registration table detect mainly comprise detect unknown program to be detected whether create, revise, delete registration table.Once find that registration table there occurs establishment, amendment or deletes action, then enter Malicious Code Detection, for finally judging that threat situation provides detection foundation.
The details connected network detect mainly to comprise and detect unknown program to be detected and whether comprise C & C (order and Control Server) domain name, whether initiatively open listening port wait control end in this locality and be connected Long-distance Control wooden horse, and Sampling network.
In addition, the concrete grammar detected the details of network connection is as follows: when unknown program interconnection network to be detected, allow it to connect, and record the remote ip address of connection; When unknown program to be detected connects C & C server, record network characterization, finds further, follows the tracks of corpse (botnet) network, and produce alarm; When unknown program transmission to be detected, reception data, record data content, and determine whether the Content of communciation of C & C, if so, then produce alarm; Initiatively open listening port at unknown program to be detected in this locality, wait for that control end connects, record network monitoring details, and produce alarm.
Detect mainly to comprise to the details of service and snapshot is carried out to system service original in sandbox and application service, the startup of serving in comprehensive descision virtual machine monitor, stopping, increase action.
In step s 2, concrete grammar is:
Step S201, pre-sets the different stage alarm conditions that rogue program can trigger, and the different warning information corresponding from different stage alarm conditions, and divides the threat level of each warning information.
Step S202, according to the tracing detection result of the host-feature of virtual system, determines the alarm conditions rank that unknown program to be detected triggers.
Step S203, the alarm conditions rank triggered according to unknown program to be detected obtains the weight of different behavior.
Step S204, summation is weighted to all behaviors of unknown program to be detected, corresponding warning information is produced according to the result of weighted sum, the threat level that unknown program to be detected is corresponding is judged according to warning information, and confirm the malicious of unknown program to be detected with this, carry out record in the mode of log information.
Wherein, when dividing the threat level of each warning information, by hierarchically for warning information dividing into high-level threat, middle rank threatens, low level threatens, doubtful threat and without threat.
In addition, the different behavior weights that the alarm conditions rank triggered according to unknown program to be detected obtains mainly comprise process weight a, file weight b, registration table/serve common weight c, network connection weight d, wherein a+b+c+d=1.The alarm conditions rank such as triggered according to unknown program to be detected obtains process weight 20%, file weight 10%, registration table/serve common weight 40%, network connection weight 30%.Wherein, when being weighted summation to all behaviors of unknown program to be detected, according to the weighted sum that sequence carries out process item by item, file, registration table/service and network connect behavior.
In addition, when arranging the different stage alarm conditions that rogue program can trigger, the highest level alarm conditions that can trigger for the rogue program set by file, registration table, service, network and process are as follows respectively:
A, network highest level alarm conditions: find unknown program to be detected and known C & C network type communication.
B, registration table highest level alarm conditions: unknown program to be detected reads, registry file occurs when opening file changes, or revises registration table sensitizing range when running unknown program to be detected.
C, file highest level alarm conditions: unknown program to be detected reads, change system directory or responsive catalogue file when opening file or run unknown program to be detected.
D, process highest level alarm conditions: unknown program to be detected reads, have modified original process when opening file or run unknown program to be detected.
E, service highest level alarm conditions: unknown program to be detected reads, add service when opening file, or when running unknown program to be detected, occurred knownly there is the Service name threatened.
The sandbox of the Intrusion Detection based on host characteristic of present embodiment detects alarm method, can by running unknown program to be detected in monitor of virtual machine environment, thus discovery rogue program, and (comprise the communication between the monitoring vulnerability exploit of rogue program and order Control Server C & C, downloads further maliciously executable file, network are adjusted back) is monitored to the whole attack life cycle of rogue program.In addition, can monitor and detect the rogue program behavior in vulnerability exploit stage, avoid and only detect movable and the failing to report (this stage can adopt a series of modes such as encryption to escape) of producing of later stage.
The step of various method divides above, just in order to be described clearly, can merge into a step or splitting some step, being decomposed into multiple step, when realizing as long as comprise identical logical relation, all in the protection domain of this patent; To adding inessential amendment in algorithm or in flow process or introducing inessential design, but the core design not changing its algorithm and flow process is all in the protection domain of this patent.
The sandbox that second embodiment of the present invention relates to a kind of Intrusion Detection based on host feature detects warning system, comprise computer hardware system and virtual machine, can run user operating system in computer hardware system, virtual machine provides a virtual system for unknown program to be detected, unknown program to be detected runs on virtual machine, as shown in Figure 3.Wherein, as shown in Figure 2, the sandbox detection warning system of Intrusion Detection based on host feature at least comprises:
Basis sandbox module 1, for inserting a virtual machine monitor between operating system of user and computer hardware system, wherein, virtual machine monitor provides the virtual hardware platform of a complete analog computer hardware system for virtual machine, and operating system of user runs on virtual hardware platform.
Host-feature analysis module 2, is connected to basic sandbox module 1, for when unknown program to be detected runs on virtual machine, carries out tracing detection to the host-feature of virtual system.
Alarm module 3, be connected to host-feature analysis module 2, for the tracing detection result of the host-feature according to virtual system, identify alarm level, produce the warning information corresponding to alarm level, and in the mode of log information, record is carried out to unknown program to be detected.
It should be noted that, basic sandbox module refers to the sandbox operation architecture adopting Full-virtualization (Full-virtualization) technology to realize.Full-virtualization technology adopts the mode of software simulation to provide a complete virtual hardware copy for operating system of user, in these operating system, self with operate in original computer hardware system and there is no a bit difference.Therefore, the sandbox technology adopted in present embodiment can reduce the operational process of unknown program to be detected to the full extent, also can carry out relatively detailed assessment to the destruction that unknown program to be detected especially rogue program causes in system level.Wherein, virtual machine monitor (Virtual Machine Monitor, VMM) has built a complete virtual hardware platform for virtual machine, and operating system of user runs in VMM environment.
In addition, computer hardware system is primarily of processor, storer, network interface etc. three part composition, and this computer hardware system is mainly basic sandbox module and provides physical movement environment.Virtual machine is that unknown program to be detected builds a virtual system, in the process that unknown program to be detected runs on a virtual machine, by the situation of change of the host-features such as detection procedure, file, registration table, service and network connection, determine corresponding alarm level according to alarm module, produce warning information.
The sandbox of the Intrusion Detection based on host feature of present embodiment detects warning system in actual application, and idiographic flow refers to Fig. 4, mainly comprises the steps:
1) start, now all virtual machines are in suspended state, wait for and come from outside unknown program to be detected or the input of file.
2) the input basis sandbox module of unknown program to be detected or file.
3) according to the satellite information that extension name and himself attribute of unknown program to be detected or file self carry, its execution environment is judged.Wherein, execution environment comprises system version, operating software version etc.
4) start corresponding sandbox environment, unknown program to be detected or file are run on the virtual machine of correspondence.If do not find corresponding version, then start operating system of user and the software environment of most highest version.If there is no software execution environment, then unknown program to be detected or file are carried out system retention, generate daily record.
5) detection procedure, specifically comprises following detection method:
A), when unknown program to be detected or a document creation new process, allow it to create, now do not produce alarm;
B) when unknown program to be detected or File Open process, allow it to open any process, and monitoring return results;
C), when unknown program to be detected or file read process data, for general process, allow it to read, only monitor its data, do not produce alarm; For strict shielded process, allow it to read, produce alarm;
D) when unknown program to be detected or file write process data, if target process is the process that it creates, allows its write data, only monitor its data, do not produce alarm, otherwise produce alarm;
E), when unknown program to be detected or end of file process, create if the process that is moved to end is self or its, only monitor its data, do not produce alarm, otherwise, produce alarm.
6) detect file, and judge whether to need to produce alarm.API below file details test and monitoring (ApplicationProgramming Interface, application programming interface):
7) detect registration table feature whether to change, main detection comprises the aspects such as registration table establishment, Registry Modifications, registration table deletion, detect the key assignments that some self-startings are relevant, as long as there is above-mentioned change, judge that unknown program to be detected or file are that the possibility of rogue program is larger.
8) detect service details, concrete detection method, for carry out snapshot to system service original in sandbox and application service, carries out comprehensive descision generation alarm by the startup of serving in monitoring sandbox, stopping, increase action.A lot of Malwares all utilizes the system service of Windows realize self-starting and obtain high authority, as long as therefore occur creating new service, judges that unknown program to be detected or file are that the possibility of rogue program is larger.
9) Sampling network connects, and concrete detection method is as follows:
A) allow it to connect when unknown program to be detected or file interconnection network, and record the remote ip address of connection;
B) unknown program to be detected or file connect C & C server, and record network characterization finds further, follows the tracks of botnet network, and produces alarm;
C) unknown program to be detected or file send, record data content when receiving data, and determine whether the Content of communciation of C & C, if so, then produce alarm;
D) unknown program to be detected or file initiatively open listening port in this locality, wait for that control end connects, record network monitoring details, and produce alarm.
10) determining step 5) to step 9) whether there is unknown program to be detected or file reads system-critical data, revises or deletion action, or whether there is the threat action that unknown program to be detected or file and outside C & C server carry out communication or produce other; If occur, then produce alarm, in safety zone, store original unknown program to be detected or file simultaneously, otherwise generate daily record, judge that unknown program to be detected or file are without threat.
Wherein, warning information according to hierarchically dividing into high-level threat, middle rank threatens, low level threatens, doubtful threat and without threat, and simultaneously to the unknown program to be detected of trigger alerts or file carrying out record in the mode of log information.
When producing alarm, according to the different behavior weights of the alarm level acquisition that unknown program to be detected or file trigger, thus produce the alarm of different stage.The concrete grammar of weight and alarm describes in first embodiment of the invention part, does not repeat at this.
Known by above-mentioned application, the sandbox of the Intrusion Detection based on host characteristic of present embodiment detects warning system, and in the process detecting unknown program, make the activity of rogue program based on one highly close to the virtual platform of real user environment, therefore rate of false alarm is extremely low.
Be not difficult to find, present embodiment is the system embodiment corresponding with the first embodiment, and present embodiment can be worked in coordination with the first embodiment and be implemented.The relevant technical details mentioned in first embodiment is still effective in the present embodiment, in order to reduce repetition, repeats no more here.Correspondingly, the relevant technical details mentioned in present embodiment also can be applicable in the first embodiment.
It is worth mentioning that, each module involved in present embodiment is logic module, and in actual applications, a logical block can be a physical location, also can be a part for a physical location, can also realize with the combination of multiple physical location.In addition, in order to outstanding innovative part of the present invention, the unit not too close with solving technical matters relation proposed by the invention is not introduced in present embodiment, but this does not show the unit that there is not other in present embodiment.
Persons of ordinary skill in the art may appreciate that the respective embodiments described above realize specific embodiments of the invention, and in actual applications, various change can be done to it in the form and details, and without departing from the spirit and scope of the present invention.
Claims (10)
1. the sandbox of an Intrusion Detection based on host feature detects alarm method, the application of the method is based on computer hardware system and virtual machine, can run user operating system in described computer hardware system, described virtual machine provides a virtual system for unknown program to be detected, described unknown program to be detected runs on described virtual machine, it is characterized in that, the sandbox of described Intrusion Detection based on host feature detects alarm method and at least comprises:
A virtual machine monitor is inserted between described operating system of user and computer hardware system, wherein, described virtual machine monitor provides a virtual hardware platform of simulating described computer hardware system completely for described virtual machine, and described operating system of user runs on described virtual hardware platform;
When described unknown program to be detected runs on described virtual machine, tracing detection is carried out to the host-feature of described virtual system;
According to the tracing detection result of the host-feature of described virtual system, identify alarm level, produce the warning information corresponding to described alarm level, and in the mode of log information, record is carried out to described unknown program to be detected.
2. the sandbox of Intrusion Detection based on host feature according to claim 1 detects alarm method, and it is characterized in that, the host-feature of described virtual system mainly comprises instruction features and behavioural characteristic;
The tracing detection of described instruction features is mainly comprised the ANOMALOUS VARIATIONS of memory headroom when the code implementation status in heap, stack and instruction operation is detected, utilize behavior to judge whether to start a leak;
Mainly comprise process, file, registration table to the tracing detection of the behavioural characteristic of described virtual system, network connects and the details of service detect, and the threat situation of described unknown program to be detected is judged according to testing result, analyze the function of described unknown program to be detected.
3. the sandbox of Intrusion Detection based on host feature according to claim 2 detects alarm method, it is characterized in that, to the details of described process detect mainly comprise detect whether described unknown program to be detected creates process, stops other processes, the write of striding course internal memory, create remote thread, inject global hook, load-on module, load driver program and amendment memory attribute;
The details of described file are detected mainly to comprise to detect whether described unknown program to be detected creates, deletes, the file revised in system directory or responsive catalogue;
To the details of described registration table detect mainly comprise detect described unknown program to be detected whether create, revise, delete registration table;
The details connected described network detect mainly to comprise and detect described unknown program to be detected and whether comprise C & C domain name, whether initiatively open listening port wait control end connection Long-distance Control wooden horse in this locality, and whether there is the connection with C & C address in Sampling network connection, whether the data content of Sampling network transmission exists the Content of communciation with C & C;
Detect mainly to comprise to the details of described service and snapshot is carried out to system service original in sandbox and application service, the startup of serving in virtual machine monitor described in comprehensive descision, stopping, increase action.
4. the sandbox of Intrusion Detection based on host feature according to claim 3 detects alarm method, and it is characterized in that, the concrete grammar detected the details of described process is as follows:
When described unknown program to be detected creates a new process, allow it to create, do not produce alarm;
When described unknown program to be detected opens process, allow it to open any process, and monitoring return and open result, does not produce alarm;
When described unknown program to be detected reads process data, for general process, allow it to read, only monitor its data, do not produce alarm; For strict shielded process, allow it to read, produce alarm;
When described unknown program write process data to be detected, if target process is the process that it creates, allows its write data, only monitor its data, do not produce alarm; Otherwise, produce alarm;
When described unknown program to be detected terminates process, if the process that is moved to end is process that himself or its create, only monitors its data, do not produce alarm; Otherwise, produce alarm.
5. the sandbox of Intrusion Detection based on host feature according to claim 3 detects alarm method, it is characterized in that, the concrete grammar that the details connected described network detect is as follows:
When described unknown program interconnection network to be detected, allow it to connect, and record the remote ip address of connection;
When described unknown program to be detected connects C & C server, record network characterization, further discovery, Tracking Botnets, and produce alarm;
When described unknown program transmission to be detected, reception data, record data content, and determine whether the Content of communciation of C & C, if so, then produce alarm;
Initiatively open listening port at described unknown program to be detected in this locality, wait for that control end connects, record network monitoring details, and produce alarm.
6. the sandbox of Intrusion Detection based on host feature according to claim 1 detects alarm method, it is characterized in that, according to the tracing detection result of the host-feature of described virtual system, identify alarm level, produce the warning information corresponding to described alarm level, and in the mode of log information, record is carried out to described unknown program to be detected, concrete grammar is:
Pre-set the different stage alarm conditions that rogue program can trigger, and the different warning information corresponding from different stage alarm conditions, and divide the threat level of each warning information;
According to the tracing detection result of the host-feature of described virtual system, determine the alarm conditions rank that described unknown program to be detected triggers;
The weight of different behavior is obtained according to the alarm conditions rank of described unknown program triggering to be detected;
Summation is weighted to all behaviors of described unknown program to be detected, corresponding warning information is produced according to the result of weighted sum, the threat level that described unknown program to be detected is corresponding is judged according to described warning information, and confirm the malicious of described unknown program to be detected with this, carry out record in the mode of log information.
7. the sandbox of Intrusion Detection based on host feature according to claim 6 detects alarm method, it is characterized in that, when dividing the threat level of each warning information, by hierarchically for warning information dividing into high-level threat, middle rank threatens, low level threatens, doubtful threat and without threat.
8. the sandbox of Intrusion Detection based on host feature according to claim 6 detects alarm method, it is characterized in that, process weight a, file weight b, registration table/serve common weight c, network connection weight d, wherein a+b+c+d=1 is mainly comprised according to the different behavior weights that the alarm conditions rank of described unknown program triggering to be detected obtains; Wherein, when being weighted summation to all behaviors of described unknown program to be detected, according to the weighted sum that sequence carries out process item by item, file, registration table/service and network connect behavior.
9. the sandbox of Intrusion Detection based on host feature according to claim 6 detects alarm method, it is characterized in that, when arranging the different stage alarm conditions that rogue program can trigger, the highest level alarm conditions that can trigger for the rogue program set by file, registration table, service, network and process are as follows respectively:
Network highest level alarm conditions: find described unknown program to be detected and known C & C network type communication;
Registration table highest level alarm conditions: described unknown program to be detected reads, registry file occurs when opening file changes, or revises registration table sensitizing range when running described unknown program to be detected;
File highest level alarm conditions: described unknown program to be detected reads, change system directory or responsive catalogue file when opening file or run described unknown program to be detected;
Process highest level alarm conditions: described unknown program to be detected reads, have modified original process when opening file or run described unknown program to be detected;
Service highest level alarm conditions: described unknown program to be detected reads, add service when opening file, or when running described unknown program to be detected, occurred knownly there is the Service name threatened.
10. the sandbox of an Intrusion Detection based on host feature detects warning system, comprise computer hardware system and virtual machine, can run user operating system in described computer hardware system, described virtual machine provides a virtual system for unknown program to be detected, described unknown program to be detected runs on described virtual machine, it is characterized in that, the sandbox of described Intrusion Detection based on host feature detects warning system and at least comprises:
Basis sandbox module, for inserting a virtual machine monitor between described operating system of user and computer hardware system, wherein, described virtual machine monitor provides a virtual hardware platform of simulating described computer hardware system completely for described virtual machine, and described operating system of user runs on described virtual hardware platform;
Host-feature analysis module, for when described unknown program to be detected runs on described virtual machine, carries out tracing detection to the host-feature of described virtual system;
Alarm module, for the tracing detection result of the host-feature according to described virtual system, identifies alarm level, produces the warning information corresponding to described alarm level, and carry out record to described unknown program to be detected in the mode of log information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510134971.XA CN104766011B (en) | 2015-03-26 | 2015-03-26 | The sandbox detection alarm method and system of Intrusion Detection based on host feature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510134971.XA CN104766011B (en) | 2015-03-26 | 2015-03-26 | The sandbox detection alarm method and system of Intrusion Detection based on host feature |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104766011A true CN104766011A (en) | 2015-07-08 |
| CN104766011B CN104766011B (en) | 2017-09-12 |
Family
ID=53647833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510134971.XA Expired - Fee Related CN104766011B (en) | 2015-03-26 | 2015-03-26 | The sandbox detection alarm method and system of Intrusion Detection based on host feature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104766011B (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105320884A (en) * | 2015-11-02 | 2016-02-10 | 南京安贤信息科技有限公司 | Security protection method and system for virtual machine |
| CN105656872A (en) * | 2015-07-17 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Attacker tracking method and system based on backbone network |
| CN105718792A (en) * | 2015-08-13 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Sandbox based two-dimensional code detection method and system |
| CN105740705A (en) * | 2015-12-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | LXC container-based host defense method and system |
| CN105978911A (en) * | 2016-07-15 | 2016-09-28 | 江苏博智软件科技有限公司 | Malicious code detection method and device based on virtual execution technology |
| CN106549980A (en) * | 2016-12-30 | 2017-03-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malice C&C server determines method and device |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106778273A (en) * | 2016-12-28 | 2017-05-31 | 北京安天网络安全技术有限公司 | A kind of method and system for verifying malicious code liveness in victim host |
| CN106878301A (en) * | 2017-02-13 | 2017-06-20 | 国网江西省电力公司信息通信分公司 | A kind of detection method and system of senior sustainable threat |
| CN106919837A (en) * | 2016-10-20 | 2017-07-04 | 深圳市安之天信息技术有限公司 | A kind of unknown self-starting recognition methods of malicious code and system |
| CN107392026A (en) * | 2017-06-23 | 2017-11-24 | 北京小度信息科技有限公司 | leak detection method and device |
| CN107403096A (en) * | 2017-08-04 | 2017-11-28 | 郑州云海信息技术有限公司 | It is a kind of that software detecting method is extorted based on file status analysis |
| CN107491691A (en) * | 2017-08-08 | 2017-12-19 | 东北大学 | A kind of long-range forensic tools Safety Analysis System based on machine learning |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN107657176A (en) * | 2017-09-26 | 2018-02-02 | 四川长虹电器股份有限公司 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
| CN107729751A (en) * | 2016-08-12 | 2018-02-23 | 阿里巴巴集团控股有限公司 | data detection method and device |
| CN107733927A (en) * | 2017-11-28 | 2018-02-23 | 深信服科技股份有限公司 | A kind of method of Botnet file detection, Cloud Server, apparatus and system |
| CN108804914A (en) * | 2017-05-03 | 2018-11-13 | 腾讯科技(深圳)有限公司 | A kind of method and device of anomaly data detection |
| CN109274676A (en) * | 2018-10-07 | 2019-01-25 | 杭州安恒信息技术股份有限公司 | The method and system of wooden horse control terminal IP address are obtained based on self study mode |
| CN109327451A (en) * | 2018-10-30 | 2019-02-12 | 深信服科技股份有限公司 | A kind of method, system, device and medium that the upload verifying of defence file bypasses |
| CN109948336A (en) * | 2019-01-29 | 2019-06-28 | 北京中安兴坤科技有限公司 | Malicious code detecting method and device |
| CN110417768A (en) * | 2019-07-24 | 2019-11-05 | 北京神州绿盟信息安全科技股份有限公司 | A kind of tracking and device of Botnet |
| CN110489970A (en) * | 2018-05-14 | 2019-11-22 | 阿里巴巴集团控股有限公司 | Leak detection method, apparatus and system |
| WO2020134311A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Method and device for detecting malware |
| CN111444510A (en) * | 2018-12-27 | 2020-07-24 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
| CN111680296A (en) * | 2020-06-15 | 2020-09-18 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for identifying malicious program in industrial control system |
| CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10943007B2 (en) * | 2017-09-20 | 2021-03-09 | Twistlock, Ltd | System and method for defending applications invoking anonymous functions |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN1801031A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for judging whether a know program has been attacked by employing program behavior knowledge base |
| CN1845120A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic analysis system and method for malicious code |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
-
2015
- 2015-03-26 CN CN201510134971.XA patent/CN104766011B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801031A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for judging whether a know program has been attacked by employing program behavior knowledge base |
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN1845120A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic analysis system and method for malicious code |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
Non-Patent Citations (1)
| Title |
|---|
| 韩奕: "基于行为分析的恶意代码检测与评估研究", 《中国优秀硕士学位论文全文数据库 信息科技辑 》 * |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105656872A (en) * | 2015-07-17 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Attacker tracking method and system based on backbone network |
| CN105718792A (en) * | 2015-08-13 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Sandbox based two-dimensional code detection method and system |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN105320884A (en) * | 2015-11-02 | 2016-02-10 | 南京安贤信息科技有限公司 | Security protection method and system for virtual machine |
| CN105740705A (en) * | 2015-12-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | LXC container-based host defense method and system |
| CN105978911A (en) * | 2016-07-15 | 2016-09-28 | 江苏博智软件科技有限公司 | Malicious code detection method and device based on virtual execution technology |
| CN105978911B (en) * | 2016-07-15 | 2019-05-21 | 江苏博智软件科技有限公司 | Malicious code detecting method and device based on virtual execution technology |
| CN107729751A (en) * | 2016-08-12 | 2018-02-23 | 阿里巴巴集团控股有限公司 | data detection method and device |
| CN106919837A (en) * | 2016-10-20 | 2017-07-04 | 深圳市安之天信息技术有限公司 | A kind of unknown self-starting recognition methods of malicious code and system |
| CN106919837B (en) * | 2016-10-20 | 2020-02-07 | 深圳市安之天信息技术有限公司 | Unknown self-starting identification method and system for malicious code |
| CN106778273A (en) * | 2016-12-28 | 2017-05-31 | 北京安天网络安全技术有限公司 | A kind of method and system for verifying malicious code liveness in victim host |
| CN106549980A (en) * | 2016-12-30 | 2017-03-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malice C&C server determines method and device |
| CN106549980B (en) * | 2016-12-30 | 2020-04-07 | 北京神州绿盟信息安全科技股份有限公司 | Malicious C & C server determination method and device |
| CN106878301A (en) * | 2017-02-13 | 2017-06-20 | 国网江西省电力公司信息通信分公司 | A kind of detection method and system of senior sustainable threat |
| CN108804914A (en) * | 2017-05-03 | 2018-11-13 | 腾讯科技(深圳)有限公司 | A kind of method and device of anomaly data detection |
| CN107392026A (en) * | 2017-06-23 | 2017-11-24 | 北京小度信息科技有限公司 | leak detection method and device |
| CN107403096A (en) * | 2017-08-04 | 2017-11-28 | 郑州云海信息技术有限公司 | It is a kind of that software detecting method is extorted based on file status analysis |
| CN107491691A (en) * | 2017-08-08 | 2017-12-19 | 东北大学 | A kind of long-range forensic tools Safety Analysis System based on machine learning |
| CN107657176A (en) * | 2017-09-26 | 2018-02-02 | 四川长虹电器股份有限公司 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN107566401B (en) * | 2017-09-30 | 2021-01-08 | 北京奇虎科技有限公司 | Protection method and device for virtualized environment |
| CN107733927A (en) * | 2017-11-28 | 2018-02-23 | 深信服科技股份有限公司 | A kind of method of Botnet file detection, Cloud Server, apparatus and system |
| CN107733927B (en) * | 2017-11-28 | 2021-10-19 | 深信服科技股份有限公司 | Botnet file detection method, cloud server, device and system |
| CN110489970A (en) * | 2018-05-14 | 2019-11-22 | 阿里巴巴集团控股有限公司 | Leak detection method, apparatus and system |
| CN109274676B (en) * | 2018-10-07 | 2020-12-11 | 杭州安恒信息技术股份有限公司 | Method, system and storage device for acquiring IP address of Trojan control terminal based on self-learning mode |
| CN109274676A (en) * | 2018-10-07 | 2019-01-25 | 杭州安恒信息技术股份有限公司 | The method and system of wooden horse control terminal IP address are obtained based on self study mode |
| CN109327451A (en) * | 2018-10-30 | 2019-02-12 | 深信服科技股份有限公司 | A kind of method, system, device and medium that the upload verifying of defence file bypasses |
| WO2020134311A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Method and device for detecting malware |
| CN111444510A (en) * | 2018-12-27 | 2020-07-24 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
| CN109948336A (en) * | 2019-01-29 | 2019-06-28 | 北京中安兴坤科技有限公司 | Malicious code detecting method and device |
| CN110417768A (en) * | 2019-07-24 | 2019-11-05 | 北京神州绿盟信息安全科技股份有限公司 | A kind of tracking and device of Botnet |
| CN110417768B (en) * | 2019-07-24 | 2021-10-08 | 绿盟科技集团股份有限公司 | Botnet tracking method and device |
| CN111680296A (en) * | 2020-06-15 | 2020-09-18 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for identifying malicious program in industrial control system |
| CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104766011B (en) | 2017-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104766011A (en) | Sandbox detection alarming method and system based on main engine characteristic | |
| Milajerdi et al. | Holmes: real-time apt detection through correlation of suspicious information flows | |
| Hossain et al. | Combating dependence explosion in forensic analysis using alternative tag propagation semantics | |
| Hou et al. | Deep4maldroid: A deep learning framework for android malware detection based on linux kernel system call graphs | |
| CN104598824B (en) | A kind of malware detection methods and device thereof | |
| Xiong et al. | CONAN: A practical real-time APT detection system with high accuracy and efficiency | |
| CN104283889B (en) | APT attack detectings and early warning system inside electric system based on the network architecture | |
| CN102647421B (en) | The web back door detection method of Behavior-based control feature and device | |
| US20220371621A1 (en) | Stateful rule generation for behavior based threat detection | |
| CN106611122A (en) | Virtual execution-based unknown malicious program offline detection system | |
| Stolfo et al. | Anomaly detection in computer security and an application to file system accesses | |
| WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
| CN103218561B (en) | Tamper-proof method and device for protecting browser | |
| CN111859394A (en) | TEE-based software behavior active measurement method and system | |
| Lee et al. | Securing KVM-based cloud systems via virtualization introspection | |
| Mishra et al. | PSI-NetVisor: Program semantic aware intrusion detection at network and hypervisor layer in cloud | |
| Rajput et al. | Remote non-intrusive malware detection for plcs based on chain of trust rooted in hardware | |
| Yang et al. | Ratscope: Recording and reconstructing missing rat semantic behaviors for forensic analysis on windows | |
| Chandrasekaran et al. | Spycon: Emulating user activities to detect evasive spyware | |
| Papazis et al. | Detecting indicators of deception in emulated monitoring systems | |
| Yuan et al. | Research of intrusion detection system on android | |
| Iffländer et al. | Hands off my database: Ransomware detection in databases through dynamic analysis of query sequences | |
| Cavallaro et al. | Taint-enhanced anomaly detection | |
| Mei et al. | CTScopy: hunting cyber threats within enterprise via provenance graph-based analysis | |
| Tan et al. | Attack provenance tracing in cyberspace: solutions, challenges and future directions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| CB03 | Change of inventor or designer information |
Inventor after: Liu Zhiyong Inventor after: Wang Hongkai Inventor after: Zhang Xudong Inventor after: Xia Zhengmin Inventor after: Wu Jun Inventor after: Dai Bo Inventor after: Gong Xiaogang Inventor after: Li Jianhua Inventor before: Liu Zhiyong Inventor before: Wang Hongkai Inventor before: Xia Zhengmin Inventor before: Wu Jun Inventor before: Su Yating Inventor before: Li Jianhua |
|
| COR | Change of bibliographic data | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160302 Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: Information communication branch office of Guo Wang Zhejiang Electric Power Company Applicant after: Beijing Guodiantong Network Technology Co., Ltd. Applicant after: Shanghai Jiao Tong University Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: Beijing Guodiantong Network Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170912 Termination date: 20180326 |